Re: Domainkeys and ISPs
On Fri, Mar 14, 2008 at 07:02:58AM +0800, Thomas Goirand wrote:
> Lionel Elie Mamane wrote:
>> On Thu, Mar 13, 2008 at 11:43:49PM +0800, Thomas Goirand wrote:
>>> I just had a test with dkimproxy. A very simple test with the
>>> mailx package (eg: Mail from the command line).
>>> So as you see, dkimproxy needs a list of domains for which it
>>> signs email. If you are receiving a mail from another server, and
>>> then forwards it, of course, it's not in the list, and then it's
>>> not signed.
>> That doesn't sound obvious to me. Let's assume you have two users,
>> A and B, with email addresses A@example.org and B@example.org . B
>> get his email forwarded to email@example.com, and A runs his own
>> direct-to-MX delivery server (or relay server) (or contracts one
>> from a third party; the point is not yours).
>> That's a situation where your assumption of "If you are receiving a
>> mail from another server, and then forwards it, of course, it's not
>> in the list" does not hold: If A sends a mail to B@example.org with
>> return path of A@example.org; should that mail get signed? Probably
>> not. Because if you sign that mail, you'll also sign joe-job spam
>> mail, and that's something you wouldn't want, I presume.
> In that case, I believe that our normal postfix rules would detect it,
> and reject the email, no?
I'm not sure if "that case" refers to A's legit mail or to the joe-job
If it refers to A's legit mail:
Why would you want to reject the email? It is one of your users using
his email address in your domain to send mail to another of your
users. Totally legit, bona fide, all that.
If it refers to the joe-job spam:
How do you differentiate between A's legit mail and the joe-job?
> Anyway, I don't think it's based on the return-path: field...
I was refering to the return path in the SMTP envelope, obviously. If
the "the list of domains for which it signs mail" is not a list of
domains for the return path / sender in the SMTP envelope, then it is
a list of domains for *what*?